Problems with Self Signed Certificate

Wednesday, November 25, 2015

A self-signed certificate is a digital certificate in which an entity authenticates itself. Self-signed SSL certificate utilizes the same algorithms as Certificate Authorities (CAs), so users receive the benefit of the data protection with the server encryption technology. However, this type of Secure Socket Layer (SSL) certificate is not validated by a reliable third party such as a trusted CA and is, therefore, considered less trustworthy.

Self-signed certificates often display security warnings because browsers such as Internet Explorer (IE) do not recognize the certificate. Every browser has a defined list of ‘Trusted Root Certification Authorities’ – some publicly available, some not – and will scan web servers with SSL certificate installed. If the certificate in the server does not fall in the list of trusted root CAs in the browser, the security warning will be prompted. These warnings can affect brand reputation and business, chasing new and returning visitors away.

List of Trusted CAs by Browsers

(1) For Windows/IE, the list of CAs who are members of the Windows Root Certificate Program, as of September 2014 is outlined in this pdf document.

(3) For Chrome, we were not able to find the documentation, deducing that this information may not be available to the public.

Problem #2: Missing Components

Because the certificate is self-generated, there will be several components in the certificate missing, making the servers vulnerable with the certificate installed. Some common important elements include:

EKUs indicate what the public key in the certificate will be used for – a client or a server. The CA/B Forum requires all publicly trusted SSL certificate to include web server authentication EKU, web client authentication EKU or both.

(2) Missing AIA

Authority Information Access information is used by browsers and other applications to check on the validity of an SSL certificate. If this is missing, the certificate will be viewed as dangerous and unsafe by browsers, displaying a warning message on browsers.

It is always good to include basic constraints information so that each library can identify the certificate as an End Entity and that there will be no mistake in identifying the certificate wrongly – such as malicious certificates.

(4) Missing Key Usage Digital Signature

A key usage digital signature affirms the use of the certificate for a specific purpose. If the Key Usage is missing, cyber attackers can exploit the certificate and use it for vicious purposes.

Problem #3: It Gets Outdated Fast

The SSL/TLS protocol goes through continual rounds of changes as researchers seek to improve the encryption technology. As of today, TLS 1.2 is the latest release, with TLS 1.3 on its way. With self-signed certificates, the certificate will get outdated fast, exposing servers with vulnerabilities from previous protocols.

Solution: Eradicating Problems with CA Certificates

Major browsers such as IE, Chrome, and Firefox work closely with members of the CA/B Forum to ensure a more secure use of the Internet.

DigiCert is one CA that works very closely with Browser Services to improve on SSL technologies such as the creation of Extended Validation (EV) and Certificate Transparency. Being at the frontline of SSL technologies, DigiCert certificates uses the most up-to-date encryption and passes all these to its users.

Price is also highly competitive in the industry, easily making them one of the most affordable in high assurance and reliable digital certificates. With 24/7 technical live chat support and a full suite of certificate management tools available, it is undeniable DigiCert deserves a 5-star rating on SSLShopper, an independent SSL review site.

The Bottom Line

Self-signed certificates may be a free and immediate solution to encryption; however, implementing self-signed certificates is not sustainable in the long run and is bound to face problems eventually. When that happens, time will be spent troubleshooting, fixing and mitigating. Instead of letting that happen, it is better to adopt CA certificates right from the beginning.